Menu
Browse

Cyber Threat Actor: Yellow Drift

Actor Type Location Known Incidents
 Icon
Activist
Ukraine
1 incident
Profile

Yellow Drift is a threat actor that operates under the alias Yellow Drift and is known to be based in Ukraine. The group has publicly identified itself as pro‑Ukraine and claimed responsibility for a cyberattack on Russia’s largest state procurement platform, Roseltorg, on January 9 2025. In that incident the actors deleted approximately 550 terabytes of data, including emails and backups, which led to service outages affecting government agencies, state‑owned companies, and suppliers that rely on the platform for procurement processes. The attack forced Roseltorg to initially attribute the disruption to maintenance before acknowledging the breach, and although the company later restored data and infrastructure, its website remained inaccessible at the time of reporting. This activity fits within a broader pattern of pro‑Ukraine groups targeting Russian entities.

The group’s targeting appears focused on Russian state‑linked organizations, specifically procurement platforms, infrastructure providers, and agricultural technology firms. The observed effect of their actions is operational disruption, as demonstrated by the widespread data deletion that hampered normal business functions and prompted deadline extensions for contractual procedures. No public sources attribute financial gain or espionage motives to Yellow Drift; the documented outcome is strictly disruptive in nature. Consequently, the strategic objective inferred from the available evidence is to impede the functioning of Russian critical and administrative systems.

Regarding tactics, techniques, and procedures, the only TTP explicitly described in the source material is the large‑scale deletion or wiping of data, which suggests the use of wiper‑style tools to destroy emails and backups. No specific malware families, initial access vectors, or tooling details are disclosed in the reported incident or related coverage. Attribution information indicates that Yellow Drift is characterized as a pro‑Ukraine hacktivist collective, with no explicit link to a state sponsor or criminal consortium identified in the publicly available sources.

Beyond the Roseltorg operation, Yellow Drift has been referenced in connection with other attacks against Russian infrastructure and agricultural technology companies, although those campaigns are not detailed in the supplied material. The Roseltorg incident remains the most concretely documented and publicly attributed action linked to the group, providing the clearest picture of its current capabilities and focus.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources